Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39284

Good to know:

icon

Date: October 6, 2022

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.

Language: PHP

Severity Score

Related Resources (9)

https://nvd.nist.gov/vuln/detail/CVE-2022-39284
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
https://github.com/codeigniter4/CodeIgniter4/issues/6540
https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
https://github.com/codeigniter4/CodeIgniter4/pull/6544
https://www.cve.org/CVERecord?id=CVE-2022-39284
https://www.mend.io/vulnerability-database/CVE-2022-39284

Severity Score

Weakness Type (CWE)

Improper Initialization

CWE-665

Incorrect Permission Assignment for Critical Resource

CWE-732

Top Fix

icon

Upgrade Version

Upgrade to version v4.2.7

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us